flask-security

Unique Salt per User using Flask-Security

久未见 提交于 2019-12-05 04:22:55
After reading here a bit about salting passwords, it seems that it's best to use a unique salt for each user. I'm working on implementing Flask-Security atm, and from the documentation it appears you can only set a global salt: ie SECURITY_PASSWORD_SALT = 'thesalt' Question: How would one go about making a unique salt for each password? Thanks! edit: from the docs on Flask-Security, I found this, which seems to again suggest that this module only uses a single salt for all passwords out of the box. flask_security.utils.get_hmac(password) Returns a Base64 encoded HMAC+SHA512 of the password

How to run custom code at login with flask-security

房东的猫 提交于 2019-12-05 03:46:52
I am new to flask, but moderately proficient in python - I have a flask app that uses flask-security for user authentication. I would like to add some additional functionality to the user login process. Specifically, I need to save the user's auth_token (which I have set up to be a one-time-use token) to the db when they login, and remove it when they log out. The issue comes because flask-security does not (to my knowledge) expose the machinery of logging in directly to the developer. As far as I can tell from the code, it imports flask-login, which uses a login_user function. I started out

Users appear to be logged in as another user

女生的网名这么多〃 提交于 2019-12-04 14:09:36
I'm using Flask-Security to manage users, and I'm getting reports that users are logged-in successfully as themselves, but randomly when they load a page, it will show them logged as someone completely different. I'm not sure where I'm going wrong. What are possible ways this could happen? I user a UserService to do some simple user management. I instantiate a user service before every request and pass in current_user. @app.before_request def load_request_services(): g.user_service = UserService(user_datastore, application_service, email_service, ORGS, current_user) Then, I get the current

how to override login of flask-security?

一个人想着一个人 提交于 2019-12-04 03:41:48
问题 I want to do some customization when a user login. The problem is that the project is using flask-security which is implicitly handles user login. I want to check some records of users in the database when users login. how can i override "login" function in flask-security? I saw similar post, tried but not working. Plus, it is not exactly what I want to do. I maybe need to stop the default behavior in case of some users. So, anyone having this kind of issue? how can I do it? Thanks! 回答1: You

Setting a default role in flask-security

假如想象 提交于 2019-12-03 21:13:29
I am trying to set a default role when a user registers with my site, currently no roles are set when the user registers. I have created the roles I need, so I just need to define it somehow. Not sure how though. The code I have is pretty much copy paste from the quick start guide. Anyway, here it is: # Define models roles_users = db.Table('roles_users', db.Column('user_id', db.Integer(), db.ForeignKey('user.id')), db.Column('role_id', db.Integer(), db.ForeignKey('role.id'))) class Role(db.Model, RoleMixin): id = db.Column(db.Integer(), primary_key=True) name = db.Column(db.String(80), unique

Flask-Security CSRF token

浪尽此生 提交于 2019-12-03 16:59:09
问题 I have a flask app that serves as REST API backend. I would like to implement token based authentication for the backend but in order to do that I need to retrieve the user token. Flask-Security documentation clearly says that to retrieve the token one needs to perform an HTTP POST with the authentication details as JSON data to the authentication endpoint. Unfortunately I don't understand how to retrieve the CSRF token needed to perform such request. If I use the login page/template provided

How to use Flask-Security register view?

倖福魔咒の 提交于 2019-12-03 10:18:35
Has anyone used Flask-Security extension for authentication? How do I get register view to work? http://packages.python.org/Flask-Security/customizing.html I am referring to link above. @app.route('/register', methods=['GET']) def register(): return render_template('security/register_user.html') I don't want to extend the default class, I just want to wrap the default registration view in my site layout so I did this. {% extends "layout.html" %} {% block title %}upload{% endblock %} {% block body %} {% from "security/_macros.html" import render_field_with_errors, render_field %} {% include

Combining Flask-restless, Flask-security and regular Python requests

£可爱£侵袭症+ 提交于 2019-12-03 06:13:56
问题 My goal is to provide a REST API to my web application. Using: Python 2.7.5 Flask==0.10.1 Flask-Restless==0.13.1 Flask-Security==1.7.3 I need to secure access to my data for both web and REST access. However, I am unable to get any regular python request succeeding when trying to connect to secured API. The following outputs are obtained using the fully-functional module provided at the end of this question. I manage to get a correct answer when using http://127.0.0.1:5000/api/v1/free_stuff :

Flask-Security CSRF token

走远了吗. 提交于 2019-12-03 06:02:58
I have a flask app that serves as REST API backend. I would like to implement token based authentication for the backend but in order to do that I need to retrieve the user token. Flask-Security documentation clearly says that to retrieve the token one needs to perform an HTTP POST with the authentication details as JSON data to the authentication endpoint. Unfortunately I don't understand how to retrieve the CSRF token needed to perform such request. If I use the login page/template provided with the extension the CSRF token is passed to the client in the hidden field in the form. The

Combining Flask-restless, Flask-security and regular Python requests

拜拜、爱过 提交于 2019-12-02 20:50:38
My goal is to provide a REST API to my web application. Using: Python 2.7.5 Flask==0.10.1 Flask-Restless==0.13.1 Flask-Security==1.7.3 I need to secure access to my data for both web and REST access. However, I am unable to get any regular python request succeeding when trying to connect to secured API. The following outputs are obtained using the fully-functional module provided at the end of this question. I manage to get a correct answer when using http://127.0.0.1:5000/api/v1/free_stuff : >>> import requests >>> r=requests.get('http://127.0.0.1:5000/api/v1/free_stuff') >>> print 'status:',